Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WGET HSTS List Exposure

By kannthu

Informative
Vidoc logoVidoc Module
#devops#exposure#wget#files
Description

WGET HSTS List Exposure

What is the "WGET HSTS List Exposure?"

The "WGET HSTS List Exposure" module is designed to detect the exposure of the HSTS (HTTP Strict Transport Security) 1.0 Known Hosts database for GNU Wget. HSTS is a web security policy mechanism that helps protect web applications against protocol downgrade attacks and cookie hijacking. This module focuses on identifying misconfigurations that may lead to the exposure of the HSTS list, which could potentially undermine the security of the web application.

This module has an informative severity level, meaning it provides valuable information about potential security risks but does not directly indicate a vulnerability or exploit.

Impact

If the HSTS list is exposed, it could allow an attacker to gain insights into the web application's security configuration. This information could be used to plan targeted attacks, such as bypassing security controls or launching phishing campaigns. It is crucial to ensure that the HSTS list remains protected to maintain the integrity and security of the web application.

How the module works?

The "WGET HSTS List Exposure" module works by sending a GET request to the "/.wget-hsts" path of the target web application. It then applies two matching conditions to determine if the HSTS list is exposed:

    - The module checks if the response body contains the phrase "HSTS 1.0 Known Hosts database for GNU Wget". This indicates that the response contains the HSTS list. - The module verifies if the response status code is 200, indicating a successful request. This confirms that the HSTS list is accessible.

If both conditions are met, the module reports a vulnerability, indicating that the HSTS list is exposed.

Example HTTP request:

GET /.wget-hsts HTTP/1.1
Host: example.com

Note: The above example is a simplified representation of the HTTP request. Actual requests may contain additional headers or parameters.

It is important to regularly scan and secure the web application to prevent the exposure of sensitive information like the HSTS list. By addressing any misconfigurations or vulnerabilities identified by this module, you can enhance the overall security posture of your web application.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/.wget-hsts
Matching conditions
word: HSTS 1.0 Known Hosts database for GNU Wg...and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability